Authorization Frameworks

Authorization Protocols

Our platform utilizes the Open Authorization 2.1 (OAuth) standards to grant access to resources per the access control models outlined in the previous chapter. The OAuth standard defines four important roles:

The Resource Owner (RO)

  • Definition: The Resource Owner is an entity with the authority to grant access to a protected resource. This entity may be an individual (end-user), or an organization.

  • Sidenote: Delegated access happens when Resource Owners grant authorization to other entities, such as organizations, individual users, or applications, to perform actions on behalf of the Resource Owner.

The Resource Server (RS)

  • Definition: The Resource Server is an application hosting the protected resources. It handles requests for these resources from the Client and makes them available via an API after access token validation.

Sidenote: The Resource Server responds to these requests by validating the provided access tokens through various methods to ensure they are valid and authorize the request.

The Client

  • Definition: The Client is an application making requests for protected resources on behalf of the Resource Owner, with the Resource Owner's authorization obtained through the OAuth process.

Sidenote: The Client can be deployed on a variety of platforms, including but not limited to virtual machines, bare metal servers, desktops, edge devices, and IoT devices.

The Authorization Server (AS)

  • Definition: The Authorization Server is an application responsible for issuing access tokens to the Client following successful authentication of the Resource Owner and obtaining authorization.

To authorize end-users, we utilize the Authorization Code Flow with Proof Key for Code Exchange (PKCE). This can be implemented using client libraries for the following use cases:

  • Mobile Applications

  • Native Applications

  • SaaS Platforms

  • Websites

  • Desktop Applications

  • Single Sign-On (SSO)

To authorize applications, we utilize the Client Credential Flow. Which can be implemented using client libraries for the following use cases:

  • Scheduled Tasks and Cron Jobs

  • Data Synchronization

  • System-to-system integrations

  • Inter-Microservice Communication

  • Internet of Things (IoT) Device Communication

  • Automated Testing Environment

Still pending…

The Application Programming Interface (API)

  • The API acts as a communication channel between applications, enabling them to interact and exchange information with each other.

  • Supported Protocols: HTTP APIs & RESTful APIs

  • Protocols examples: HTTPS, RESTful APIs, SIP, SRTP, gRPC, AMQPS etc.

Privileges

Privileges are permissions assigned to an individual or groups. Privileges can be inherited by an overlapping entity.

Groups

Groups refers to collections of users or other entities that share a common set of privileges.

Permissions

Permissions refer to the declaration of actions that can be performed on a specific resource by a user or an application.

Scope

Scope refers to what an application can do on behalf of the user.

Last updated